oauthlint 0.6.0 → 0.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -42,7 +42,7 @@ npx oauthlint scan ./src --format html > report.html
|
|
|
42
42
|
npx oauthlint explain auth.jwt.alg-none
|
|
43
43
|
```
|
|
44
44
|
|
|
45
|
-
Scan only what changed for fast pre-commit hooks and editors with `--diff` / `--staged`, or adopt on a large repo with a [baseline](https://oauthlint.dev/docs/baseline) (`oauthlint baseline ./src` then `scan --baseline`) so you're alerted on **new** findings only. Other commands: `list`, `explain`, `init`, `doctor`. Run `oauthlint --help` or see the [full CLI reference](https://oauthlint.dev/docs/cli).
|
|
45
|
+
Scan only what changed for fast pre-commit hooks and editors with `--diff` / `--staged`, or adopt on a large repo with a [baseline](https://oauthlint.dev/docs/cli#baseline) (`oauthlint baseline ./src` then `scan --baseline`) so you're alerted on **new** findings only. Other commands: `list`, `explain`, `init`, `doctor`. Run `oauthlint --help` or see the [full CLI reference](https://oauthlint.dev/docs/cli).
|
|
46
46
|
|
|
47
47
|
### Every finding teaches
|
|
48
48
|
|
|
@@ -50,12 +50,12 @@ Each finding ends with a hint, `↳ run \`oauthlint explain <rule-id>\` for deta
|
|
|
50
50
|
|
|
51
51
|
## What it catches
|
|
52
52
|
|
|
53
|
-
|
|
53
|
+
AI coding assistants — tools like GitHub Copilot, Cursor, and Claude Code, and others — ship the *same* auth bugs across every project: a JWT accepted with `alg: none`, a hard-coded `client_secret`, an OAuth flow with no `state`/PKCE, a token in `localStorage`, a `*` wildcard `redirect_uri`, an unrate-limited `/login`, a plaintext password, `Math.random()` for a CSRF token.
|
|
54
54
|
|
|
55
55
|
- **100+ rules** across **JS/TS · Python · Go · Java · Rust**, each mapped to CWE/OWASP with a fix page (a lesson, not a grep hit).
|
|
56
56
|
- **Dataflow (taint) analysis.** Beyond pattern-matching, the pack traces untrusted input through to dangerous sinks to catch **open-redirect** and **SSRF**.
|
|
57
57
|
- **HTML report.** `scan --format html` renders a self-contained, offline, no-JavaScript audit you can email or attach to a PR.
|
|
58
|
-
- Plus **SARIF** for Code Scanning, `--fix` for safe auto-fixes, incremental `--diff`/`--staged`, and a [baseline](https://oauthlint.dev/docs/baseline) for existing codebases.
|
|
58
|
+
- Plus **SARIF** for Code Scanning, `--fix` for safe auto-fixes, incremental `--diff`/`--staged`, and a [baseline](https://oauthlint.dev/docs/cli#baseline) for existing codebases.
|
|
59
59
|
|
|
60
60
|
👉 **Browse the always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
|
|
61
61
|
|
|
@@ -73,7 +73,7 @@ Per-language bundles exist too (`oauthlint-python.yaml`, `oauthlint-go.yaml`,
|
|
|
73
73
|
|
|
74
74
|
Honest answer: nothing stops you writing these rules yourself. Semgrep is open source and it's the engine we run, so there's no technical moat. What oauthlint gives you is the work most people never do:
|
|
75
75
|
|
|
76
|
-
- **Low false positives, validated against real auth libraries.** `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you ([validation report](https://oauthlint.dev/
|
|
76
|
+
- **Low false positives, validated against real auth libraries.** `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you ([validation report](https://oauthlint.dev/validation)).
|
|
77
77
|
- **One coherent product across every language.** Same concepts, same ID scheme, same docs, not a patchwork of community rules.
|
|
78
78
|
- **The angle the registry doesn't have.** It targets the auth bugs AI tools ship on repeat, encoded in each rule's `llm-prevalence` metadata and measured by a reproducible benchmark ([the research](https://oauthlint.dev/research)).
|
|
79
79
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "oauthlint",
|
|
3
|
-
"version": "0.6.
|
|
3
|
+
"version": "0.6.1",
|
|
4
4
|
"description": "Catch the OAuth/OIDC/JWT anti-patterns AI coding tools systematically produce. CLI wrapper around the oauthlint-rules Semgrep rule pack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|